Document Comparison
PCI_DSS_Glossary_v3-1.pdf
→
PCI_DSS_Glossary_v3-2.pdf
78% similar
23 → 24
Pages
9426 → 9763
Words
22
Content Changes
Content Changes
22 content changes. 38 administrative changes (dates, page numbers) hidden.
Added
p. 2
Administrative Access Elevated or increased privileges granted to an account in order for that account to manage systems, networks and/or applications.
Administrative access can be assigned to an individual’s account or a built- in system account. Accounts with administrative access are often referred to as “superuser”, “root”, “administrator”, “admin”, “sysadmin” or “supervisor- state”, depending on the particular operating system and organizational structure.
Administrative access can be assigned to an individual’s account or a built- in system account. Accounts with administrative access are often referred to as “superuser”, “root”, “administrator”, “admin”, “sysadmin” or “supervisor- state”, depending on the particular operating system and organizational structure.
Added
p. 5
Critical systems / critical technologies A system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance of a business operation or for a security function to be maintained. Examples of critical systems often include security systems, public-facing devices and systems, databases, and systems that store, process, or transmit cardholder data. Considerations for determining which specific systems and technologies are critical will depend on an organization’s environment and risk-assessment strategy.
Cryptographic Key Generation Key generation is one of the functions within key management. The following documents provide recognized guidance on proper key generation:
NIST Special Publication 800-133: Recommendation for Cryptographic Key Generation ISO 11568-2 Financial services
• Key management (retail)
• Key management (retail)
• Part 2: Symmetric ciphers, their key management and life cycle o 4.3 Key generation ISO 11568-4 Financial services
• Part 4: Asymmetric cryptosystems
• Key …
Cryptographic Key Generation Key generation is one of the functions within key management. The following documents provide recognized guidance on proper key generation:
NIST Special Publication 800-133: Recommendation for Cryptographic Key Generation ISO 11568-2 Financial services
• Key management (retail)
• Key management (retail)
• Part 2: Symmetric ciphers, their key management and life cycle o 4.3 Key generation ISO 11568-4 Financial services
• Part 4: Asymmetric cryptosystems
• Key …
Added
p. 9
For further guidance, refer to industry standards, such as current versions of NIST Special Publications 800-107 and 800-106, Federal Information Processing Standard (FIPS) 180-4 Secure Hash Standard (SHS), and FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions.
Added
p. 12
Multi-Factor Authentication Method of authenticating a user whereby at least two factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).
Non-Console Access Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within local/internal networks as well as access from external, or remote, networks.
Non-Console Access Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within local/internal networks as well as access from external, or remote, networks.
Added
p. 21
Strong Cryptography Cryptography based on industry-tested and accepted algorithms, along with key lengths that provide a minimum of 112-bits of effective key strength and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is “one way”; that is, not reversible). See Hashing.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.1
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.2
Modified
p. 2
AOV Acronym for “attestation of validation.” The AOV is a form for PA-QSAs to attest to the results of a PA-DSS assessment, as documented in the PA-DSS Report on Validation.
AOV Acronym for “attestation of validation.” The AOV is a form for PA-QSAs to attest to the results of a PA-DSS assessment, as documented in the PA- DSS Report on Validation.
Modified
p. 4
CAV
• Card Authentication Value (JCB payment cards) CVC
• Card Validation Code (MasterCard payment cards) CVV
• Card Verification Value (Visa and Discover payment cards) CSC
• Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number …
• Card Authentication Value (JCB payment cards) CVC
• Card Validation Code (MasterCard payment cards) CVV
• Card Verification Value (Visa and Discover payment cards) CSC
• Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number …
CAV
• Card Authentication Value (JCB payment cards) PAN CVC
• Card Validation Code (MasterCard payment cards) CVV
• Card Verification Value (Visa and Discover payment cards) CSC
• Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed …
• Card Authentication Value (JCB payment cards) PAN CVC
• Card Validation Code (MasterCard payment cards) CVV
• Card Verification Value (Visa and Discover payment cards) CSC
• Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed …
Modified
p. 4
CID
• Card Identification Number (American Express and Discover payment cards) CAV2
• Card Authentication Value 2 (JCB payment cards) CVC2
• Card Validation Code 2 (MasterCard payment cards) CVV2
• Card Verification Value 2 (Visa payment cards) Cardholder Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
• Card Identification Number (American Express and Discover payment cards) CAV2
• Card Authentication Value 2 (JCB payment cards) CVC2
• Card Validation Code 2 (MasterCard payment cards) CVV2
• Card Verification Value 2 (Visa payment cards) Cardholder Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
CID
• Card Identification Number (American Express and Discover payment cards) CAV2
• Card Authentication Value 2 (JCB payment cards) PAN CVC2
• Card Validation Code 2 (MasterCard payment cards) CVV2
• Card Verification Value 2 (Visa payment cards) Cardholder Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
• Card Identification Number (American Express and Discover payment cards) CAV2
• Card Authentication Value 2 (JCB payment cards) PAN CVC2
• Card Validation Code 2 (MasterCard payment cards) CVV2
• Card Verification Value 2 (Visa payment cards) Cardholder Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
Modified
p. 6 → 7
Disk Encryption Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a hard disk or flash drive). Alternatively, File- Level Encryption or Column-Level Database Encryption is used to encrypt contents of specific files or columns.
Disk Encryption Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a hard disk or flash drive). Alternatively, File-Level Encryption or Column-Level Database Encryption is used to encrypt contents of specific files or columns.
Modified
p. 7 → 8
FIPS Acronym for “Federal Information Processing Standards.” Standards that are publicly recognized by the U.S. Federal Government; also for use by non- government agencies and contractors.
FIPS Acronym for “Federal Information Processing Standards.” Standards that are publicly recognized by the U.S. Federal Government; also for use by non-government agencies and contractors.
Removed
p. 12
Non-Console Administrative Access Refers to logical administrative access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console administrative access includes access from within local/internal networks as well as access from external, or remote, networks.
Modified
p. 12 → 13
NIST Acronym for “National Institute of Standards and Technology.” Non-regulatory federal agency within U.S. Commerce Department's Technology Administration.
NIST Acronym for “National Institute of Standards and Technology.” Non- regulatory federal agency within U.S. Commerce Department's Technology Administration.
Modified
p. 13 → 14
PA-DSS Acronym for “Payment Application Data Security Standard.” PA-QSA Acronym for “Payment Application Qualified Security Assessor.” PA-QSAs are qualified by PCI SSC to assess payment applications against the PA-DSS. Refer to the PA-DSS Program Guide and PA-QSA Qualification Requirements for details about requirements for PA-QSA Companies and Employees.
PA-DSS Acronym for “Payment Application Data Security Standard.” PA-QSA Acronym for “Payment Application Qualified Security Assessor.” PA-QSAs are qualified by PCI SSC to assess payment applications against the PA- DSS. Refer to the PA-DSS Program Guide and PA-QSA Qualification Requirements for details about requirements for PA-QSA Companies and Employees.
Modified
p. 16 → 17
RADIUS Abbreviation for “Remote Authentication Dial-In User Service.” Authentication and accounting system. Checks if information such as username and password that is passed to the RADIUS server is correct, and then authorizes access to the system. This authentication method may be used with a token, smart card, etc., to provide two-factor authentication.
RADIUS Abbreviation for “Remote Authentication Dial-In User Service.” Authentication and accounting system. Checks if information such as username and password that is passed to the RADIUS server is correct, and then authorizes access to the system. This authentication method may be used with a token, smart card, etc., to provide multi-factor authentication.
Modified
p. 16 → 17
Removable Electronic Media Media that store digitized data and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and removable hard drives.
Removable Electronic Media Media that store digitized data and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and external/portable hard drives.
Modified
p. 20 → 21
Note: The above examples are appropriate for persistent storage of cardholder data. The minimum cryptography requirements for transaction- based operations, as defined in PCI PIN and PTS, are more flexible as there are additional controls in place to reduce the level of exposure. For example, double length TDES keys used in unique key per transaction implementations as defined in ISO 11568 for key derivation or transformation (e.g., DUKPT) are considered to provide an equivalent level of strong cryptography because a …
Note: The above examples are appropriate for persistent storage of cardholder data. The minimum cryptography requirements for transaction- based operations, as defined in PCI PIN and PTS, are more flexible as there are additional controls in place to reduce the level of exposure.
Modified
p. 20 → 21
TACACS Acronym for “Terminal Access Controller Access Control System.” Remote authentication protocol commonly used in networks that communicates between a remote access server and an authentication server to determine user access rights to the network. This authentication method may be used with a token, smart card, etc., to provide two-factor authentication.
TACACS Acronym for “Terminal Access Controller Access Control System.” Remote authentication protocol commonly used in networks that communicates between a remote access server and an authentication server to determine user access rights to the network. This authentication method may be used with a token, smart card, etc., to provide multi-factor authentication.
Modified
p. 20 → 21
TCP Acronym for “Transmission Control Protocol.” One of the core transport-layer protocols of the Internet Protocol (IP) suite, and the basic communication language or protocol of the Internet. See IP.
TCP Acronym for “Transmission Control Protocol.” One of the core transport- layer protocols of the Internet Protocol (IP) suite, and the basic communication language or protocol of the Internet. See IP.
Removed
p. 21
Two-Factor Authentication Method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, parametrics, etc.).
Modified
p. 21 → 22
Token In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or two-factor authentication. See RADIUS, TACACS, and VPN. See also Session Token.
Token In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or multi-factor authentication. See RADIUS, TACACS, and VPN. See also Session Token.
Modified
p. 23 → 24
Wildcard A character that may be substituted for a defined subset of possible characters in an application version scheme. In the context of PA-DSS, wildcards can optionally be used to represent a non-security impacting change. A wildcard is the only variable element of the vendor’s version scheme, and is used to indicate there are only minor, non-security-impacting changes between each version represented by the wildcard element.
Wildcard A character that may be substituted for a defined subset of possible characters in an application version scheme. In the context of PA-DSS, wildcards can optionally be used to represent a non-security impacting change. A wildcard is the only variable element of the vendor’s version scheme, and is used to indicate there are only minor, non-security- impacting changes between each version represented by the wildcard element.